deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-11-20 15:14:04 -05:00
parent 2028d65280
commit 41e5a88aa4
6 changed files with 63 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md
View File

@ -32,7 +32,6 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
| Setting | | Setting |
|--------| |--------|
| **Setting name**: Turn On Virtualization Based Security<br>**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`<br>**Data type**: int<br>**Value**: `1`| | **Setting name**: Turn On Virtualization Based Security<br>**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`<br>**Data type**: int<br>**Value**: `1`|
| **Setting name**: Credential Guard Configuration<br>**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags`<br>**Data type**: int<br>**Value**:<br>&emsp;**Enabled with UEFI lock**: `1`<br>&emsp;**Enabled without lock**: `2`|
# [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) # [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)

6
windows/security/operating-system-security/network-security/windows-firewall/configure-rules-with-gpo.md → windows/security/operating-system-security/network-security/windows-firewall/configure-rules-with-wfas.md
View File

@ -1,13 +1,13 @@
--- ---
title: Configure Windows Firewall rules with group policy title: Configure firewall rules with WFAS console
description: Learn how to configure firewall rules using group policy with the Windows Firewall with Advanced Security console. description: Learn how to configure firewall rules using group policy with the Windows Firewall with Advanced Security console.
ms.topic: how-to ms.topic: how-to
ms.date: 11/14/2023 ms.date: 11/14/2023
--- ---
# Configure Firewall rules with group policy # Configure rules with WFAS console
This article contains examples how to configure Windows Firewall rules using group policy (GPO), with the *Windows Firewall with Advanced Security* console. This article contains examples how to configure Windows Firewall rules using the *Windows Firewall with Advanced Security* console.
## Access the Windows Firewall with Advanced Security console ## Access the Windows Firewall with Advanced Security console

73
windows/security/operating-system-security/network-security/windows-firewall/configure.md
View File

@ -15,7 +15,7 @@ Windows offers different tools to view the status and configure Windows Firewall
- [Windows Security](#windows-security) - [Windows Security](#windows-security)
- [Control Panel](#control-panel) - [Control Panel](#control-panel)
- [Windows Defender Firewall with Advanced Security](#windows-defender-firewall-with-advanced-security) and its integration with the Microsoft Management Console (MMC) - [Windows Defender Firewall with Advanced Security](#windows-defender-firewall-with-advanced-security) (WFAS)
- [Configuration Service Provider (CSP)](#configuration-service-provider-csp) - [Configuration Service Provider (CSP)](#configuration-service-provider-csp)
- [Command line tools](#command-line-tools) - [Command line tools](#command-line-tools)
@ -45,7 +45,7 @@ Windows offers different tools to view the status and configure Windows Firewall
:::row-end::: :::row-end:::
:::row::: :::row:::
:::column span="3"::: :::column span="3":::
The *Windows Defender Firewall* Control Panel applet (`firewall.cpl`) provides basic functionalities to configure Windows Firewall. The *Windows Defender Firewall* Control Panel applet provides basic functionalities to configure Windows Firewall. Select <kbd>START</kbd>, type `firewall.cpl`, and press <kbd>ENTER</kbd>.
:::column-end::: :::column-end:::
:::column span="1"::: :::column span="1":::
:::image type="content" source="images/control-panel.png" alt-text="Screenshot showing the Windows Defender Firewall control panel applet." lightbox="images/control-panel.png" border="false"::: :::image type="content" source="images/control-panel.png" alt-text="Screenshot showing the Windows Defender Firewall control panel applet." lightbox="images/control-panel.png" border="false":::
@ -58,10 +58,14 @@ Windows offers different tools to view the status and configure Windows Firewall
:::row-end::: :::row-end:::
:::row::: :::row:::
:::column span="3"::: :::column span="3":::
The *Windows Defender Firewall with Advanced Security* MMC snap-in provides advanced configuration functionalities. It can be used locally (`wf.msc`) and in group policy (GPO) implementations. The *Windows Defender Firewall with Advanced Security* (WFAS) is a Microsoft Management Console (MMC) snap-in that provides advanced configuration functionalities. It can be used locally and in group policy (GPO) implementations.
- If you are configuring a single device, select <kbd>START</kbd>, type `wf.msc`, and press <kbd>ENTER</kbd>
- If you're configuring devices joined to an Active Directory domain, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**
:::column-end::: :::column-end:::
:::column span="1"::: :::column span="1":::
:::image type="content" source="images/mmc-advanced-security.png" alt-text="Screenshot of the Windows Defender Firewall with Advanced Security MMC snap-in." lightbox="images/mmc-advanced-security.png" border="false"::: :::image type="content" source="images/wfas.png" alt-text="Screenshot of the Windows Defender Firewall with Advanced Security MMC snap-in." lightbox="images/wfas.png" border="false":::
:::column-end::: :::column-end:::
:::row-end::: :::row-end:::
:::row::: :::row:::
@ -71,7 +75,13 @@ Windows offers different tools to view the status and configure Windows Firewall
:::row-end::: :::row-end:::
:::row::: :::row:::
:::column span="4"::: :::column span="4":::
The [Firewall CSP](/windows/client-management/mdm/firewall-csp) provides an interface to configure and query the status of Windows Firewall, which can be used with a mobile device management (MDM) solution like Microsoft Intune. The [Firewall CSP][CSP] provides an interface to configure and query the status of Windows Firewall, which can be used with a mobile device management (MDM) solution like Microsoft Intune.
To learn more about the CSP options, follow these links:
- [Configure Windows Firewall settings][SETTINGS]: to configure the settings
- [Configure Windows Firewall rules][RULE]: to configure the rules
:::column-end::: :::column-end:::
:::row-end::: :::row-end:::
:::row::: :::row:::
@ -85,39 +95,9 @@ Windows offers different tools to view the status and configure Windows Firewall
:::column-end::: :::column-end:::
:::row-end::: :::row-end:::
## Local policy merge and application rules ## Group policy processing considerations
Firewall rules can be deployed: The Windows Firewall policy settings are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset between 0 and 30 minutes.
1. Locally using the [Windows Defender Firewall with Advanced Security](#windows-defender-firewall-with-advanced-security) console (`wf.msc`) or the local GPO editor (`gpedit.msc`)
1. Locally using [command line tools](#command-line-tools)
1. Remotely using group policy (GPO) settings if the device is a member of an Active Directory domain, or managed by Configuration Manager
1. Remotely using the [Firewall CSP](/windows/client-management/mdm/firewall-csp), with a mobile device management (MDM) solution like Microsoft Intune
*Rule merging* settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for *Domain*, *Private*, and *Public profiles*.
The rule-merging policy settings either allow or prevent local administrators from creating their own firewall rules in addition to those rules obtained from GPO or CSP.
| | Path |
|--|--|
| **CSP** | Domain Profile: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/`[AllowLocalPolicyMerge](/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileallowlocalpolicymerge) <br> Private Profile`./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/`[AllowLocalPolicyMerge](/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileallowlocalpolicymerge) <br> Public Profile `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/`[AllowLocalPolicyMerge](/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileallowlocalipsecpolicymerge) |
| **GPO** | **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security**|
Administrators may disable *LocalPolicyMerge* in high-security environments to maintain tighter control over endpoints. This setting can impact some applications and services that automatically generate a local firewall policy upon installation.
> [!IMPORTANT]
> If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity.
It's important to create and maintain a list of such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex deployments, a thorough analysis might be needed using network packet capture tools.
In general, to maintain maximum security, admins should only deploy firewall exceptions for apps and services determined to serve legitimate purposes.
> [!NOTE]
> The use of wildcard patterns, such as `C:\*\teams.exe` isn't supported in application rules. You can only create rules using the full path to the application(s).
## Group policy processing
The Windows Firewall settings configured via GPO or CSP are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset of 0 to 30 minutes.
Windows Firewall monitors the registry for changes, and if something is written to the registry it notifies the *Windows Filtering Platform (WFP)*, which performs the following actions: Windows Firewall monitors the registry for changes, and if something is written to the registry it notifies the *Windows Filtering Platform (WFP)*, which performs the following actions:
@ -159,24 +139,7 @@ By default, the Windows Firewall blocks everything unless there's an exception r
Once the emergency is over, uncheck the setting to restore regular network traffic. Once the emergency is over, uncheck the setting to restore regular network traffic.
## WDAC tagging policies
Windows Firewall supports the use of Windows Defender Application Control (WDAC) Application ID (AppID) tags in firewall rules. With this capability, Windows Firewall rules can be scoped to an application or a group of applications by referencing process tags, without using absolute path or sacrificing security. There are two steps for this configuration:
### Step 1: Deploy WDAC AppId Tagging Policies
A Windows Defender Application Control (WDAC) policy must be deployed, which specifies individual applications or groups of applications to apply a *PolicyAppId tag* to the process token(s). Then, the admin can define firewall rules that are scoped to all processes tagged with the matching PolicyAppId.
Follow the detailed [WDAC Application ID (AppId) Tagging guide](../../../application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md) to create, deploy, and test an AppID policy to tag applications.
### Step 2: Configure Firewall Rules using PolicyAppId Tags
Use one of the two methods below to configure firewall rules using PolicyAppId tags:
- Deploy firewall rules with Microsoft Intune: when creating firewall rules with Intune Microsoft Defender Firewall Rules, provide the AppId tag in the Policy App ID setting. The properties come directly from the [Firewall configuration service provider](/windows/client-management/mdm/firewall-csp)(CSP) and apply to the Windows platform.
You can do this through the Intune admin center under Endpoint security > Firewall. Policy templates can be found via Create policy > Windows 10, Windows 11, and Windows Server > Microsoft Defender Firewall or Microsoft Defender Firewall Rules.
- Create local firewall rules with PowerShell: you can use [`New-NetFirewallRule`](/powershell/module/netsecurity/new-netfirewallrule) and specify the `-PolicyAppId` parameter. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported.
<!--links--> <!--links-->
[SEC-1]: windowsdefender://network/ [SEC-1]: windowsdefender://network/
[CSP]: /windows/client-management/mdm/firewall-csp

0
windows/security/operating-system-security/network-security/windows-firewall/images/mmc-advanced-security.png → windows/security/operating-system-security/network-security/windows-firewall/images/wfas.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 78 KiB

After

Width:  |  Height:  |  Size: 78 KiB

40
windows/security/operating-system-security/network-security/windows-firewall/rules.md
View File

@ -46,6 +46,38 @@ When first installed, network applications and services issue a *listen call* sp
> [!NOTE] > [!NOTE]
> The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user. > The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user.
### WDAC tagging policies
Windows Firewall supports the use of Windows Defender Application Control (WDAC) Application ID (AppID) tags in firewall rules. With this capability, Windows Firewall rules can be scoped to an application or a group of applications by referencing process tags, without using absolute path or sacrificing security. There are two steps for this configuration:
1. Deploy WDAC AppId Tagging Policies: a Windows Defender Application Control (WDAC) policy must be deployed, which specifies individual applications or groups of applications to apply a *PolicyAppId tag* to the process token(s). Then, the admin can define firewall rules that are scoped to all processes tagged with the matching PolicyAppId. For more information, see the [WDAC Application ID (AppId) Tagging guide](../../../application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md) to create, deploy, and test an AppID policy to tag applications.
1. Configure Firewall Rules using PolicyAppId Tags using one of the two methods:
- Deploy firewall rules with Microsoft Intune: when creating firewall rules with Intune Microsoft Defender Firewall Rules, provide the AppId tag in the Policy App ID setting. The properties come directly from the [Firewall configuration service provider](/windows/client-management/mdm/firewall-csp)(CSP) and apply to the Windows platform. You can do this through the Intune admin center under Endpoint security > Firewall. Policy templates can be found via Create policy > Windows 10, Windows 11, and Windows Server > Microsoft Defender Firewall or Microsoft Defender Firewall Rules
- Create local firewall rules with PowerShell: you can use [`New-NetFirewallRule`](/powershell/module/netsecurity/new-netfirewallrule) and specify the `-PolicyAppId` parameter. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported
## Local policy merge and application rules
*Rule merging* policy settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for *Domain*, *Private*, and *Public profiles*.
The rule-merging policy settings either allow or prevent local administrators from creating their own firewall rules in addition to those rules obtained from GPO or CSP.
| | Path |
|--|--|
| **CSP** | Domain Profile: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/`[AllowLocalPolicyMerge](/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileallowlocalpolicymerge) <br> Private Profile`./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/`[AllowLocalPolicyMerge](/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileallowlocalpolicymerge) <br> Public Profile `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/`[AllowLocalPolicyMerge](/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileallowlocalipsecpolicymerge) |
| **GPO** | **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security**|
Administrators may disable *LocalPolicyMerge* in high-security environments to maintain tighter control over endpoints. This setting can impact some applications and services that automatically generate a local firewall policy upon installation.
> [!IMPORTANT]
> If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity.
It's important to create and maintain a list of such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex deployments, a thorough analysis might be needed using network packet capture tools.
In general, to maintain maximum security, admins should only deploy firewall exceptions for apps and services determined to serve legitimate purposes.
> [!NOTE]
> The use of wildcard patterns, such as `C:\*\teams.exe` isn't supported in application rules. You can only create rules using the full path to the application(s).
## Firewall rules recommendations ## Firewall rules recommendations
Here's a list of recommendations when designing your firewall rules: Here's a list of recommendations when designing your firewall rules:
@ -79,6 +111,14 @@ What follows are a few general guidelines for configuring outbound rules.
- It's recommended to *allow outbound* by default for most deployments for the sake of simplification with app deployments, unless the organization prefers tight security controls over ease-of-use - It's recommended to *allow outbound* by default for most deployments for the sake of simplification with app deployments, unless the organization prefers tight security controls over ease-of-use
- In high security environments, an inventory of all apps should be logged and maintained. Records must include whether an app used requires network connectivity. Administrators need to create new rules specific to each app that needs network connectivity and push those rules centrally, via GPO or CSP - In high security environments, an inventory of all apps should be logged and maintained. Records must include whether an app used requires network connectivity. Administrators need to create new rules specific to each app that needs network connectivity and push those rules centrally, via GPO or CSP
## Configure firewall rules
Firewall rules can be configure with the following tools:
- Using the [Firewall CSP](/windows/client-management/mdm/firewall-csp), with a mobile device management (MDM) solution like Microsoft Intune. For more information, see [][]
- Using the Windows Defender Firewall with Advanced Security (WFAS) console, locally or via GPO. For more information, see [][]
- Using command line tools. For more information, see [][]
## Next steps ## Next steps
> [!div class="nextstepaction"] > [!div class="nextstepaction"]

4
windows/security/operating-system-security/network-security/windows-firewall/toc.yml
View File

@ -7,8 +7,8 @@ items:
items: items:
- name: Configure Windows Firewall - name: Configure Windows Firewall
href: configure.md href: configure.md
- name: Configure rules with group policy - name: Configure firewall rules with WFAS console
href: configure-rules-with-gpo.md href: configure-rules-with-wfas.md
- name: Configure with command line tools - name: Configure with command line tools
href: configure-with-command-line.md href: configure-with-command-line.md
- name: Configure with Microsoft Intune 🔗 - name: Configure with Microsoft Intune 🔗